Overview

overview

10

Static

static

8 (1).exe

windows7_x64

10

8 (1).exe

windows10_x64

10

8 (10).exe

windows7_x64

10

8 (10).exe

windows10_x64

10

8 (11).exe

windows7_x64

8

8 (11).exe

windows10_x64

10

8 (12).exe

windows7_x64

10

8 (12).exe

windows10_x64

10

8 (13).exe

windows7_x64

10

8 (13).exe

windows10_x64

10

8 (14).exe

windows7_x64

10

8 (14).exe

windows10_x64

10

8 (15).exe

windows7_x64

10

8 (15).exe

windows10_x64

10

8 (16).exe

windows7_x64

10

8 (16).exe

windows10_x64

10

8 (17).exe

windows7_x64

10

8 (17).exe

windows10_x64

10

8 (18).exe

windows7_x64

10

8 (18).exe

windows10_x64

10

8 (19).exe

windows7_x64

10

8 (19).exe

windows10_x64

10

8 (2).exe

windows7_x64

10

8 (2).exe

windows10_x64

10

8 (20).exe

windows7_x64

10

8 (20).exe

windows10_x64

10

8 (21).exe

windows7_x64

10

8 (21).exe

windows10_x64

10

8 (22).exe

windows7_x64

10

8 (22).exe

windows10_x64

10

8 (23).exe

windows7_x64

10

8 (23).exe

windows10_x64

10

Resubmissions

13/08/2021, 10:16

210813-wpta271jdx 10

08/08/2021, 23:00

210808-fgs5g9pxfs 10

07/08/2021, 23:12

210807-g2jw1lmd4a 10

07/08/2021, 16:10

210807-51nhct4kfx 10

06/08/2021, 23:43

210806-gc2271nxwj 10

06/08/2021, 06:00

210806-f443x39x8a 10

05/08/2021, 17:08

210805-97y6banvvx 10

04/08/2021, 17:25

210804-hkxx2ntr8x 10

04/08/2021, 12:12

210804-rjbg4b4y7n 10

03/08/2021, 17:12

210803-r2h7ytjwqj 10

Analysis

  • max time kernel
    269s
  • max time network
    1809s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    06/08/2021, 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8 (23).exe

  • Size

    3.0MB

  • MD5

    bb072cad921aa5ce8b97706ce01bc570

  • SHA1

    18bf034906c1341b7817e7361ad27a4425d820bd

  • SHA256

    817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

  • SHA512

    d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Score
10/10
redlinesmokeloadersocelarsvidar933937focus1aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

Focus1

C2

135.148.139.222:33569

Extracted

Family

vidar

Version

39.9

Botnet

937

C2

https://prophefliloc.tumblr.com/

Attributes
  • profile_id

    937

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Registers COM server for autorun 1 TTPs
    persistence
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata
  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    suricata
  • suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata
  • suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata
  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata
  • Nirsoft 2 IoCs
  • Vidar Stealer 3 IoCs
    stealer
  • ASPack v2.12-2.42 14 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 12 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 10 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 5 IoCs
    evasion
  • Kills process with taskkill 8 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 47 IoCs
  • Modifies system certificate store 2 TTPs 17 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 8 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:860
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {7783F014-AE0B-40CC-BDD2-D6561EB6ED75} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
          3⤵
            PID:2136
            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
              4⤵
                PID:1652
                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                  5⤵
                    PID:2480
                    • C:\Windows\SysWOW64\schtasks.exe
                      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                      6⤵
                      • Creates scheduled task(s)
                      PID:2908
                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                  4⤵
                    PID:6444
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                      5⤵
                        PID:8184
                    • C:\Users\Admin\AppData\Roaming\duiwegu
                      C:\Users\Admin\AppData\Roaming\duiwegu
                      4⤵
                        PID:6476
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                        4⤵
                          PID:8336
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            5⤵
                              PID:8356
                          • C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe
                            C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe --Task
                            4⤵
                              PID:8844
                              • C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe
                                C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe --Task
                                5⤵
                                  PID:9004
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                4⤵
                                  PID:8992
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    5⤵
                                      PID:9016
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    4⤵
                                      PID:5084
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        5⤵
                                          PID:8400
                                      • C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe
                                        C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe --Task
                                        4⤵
                                          PID:8564
                                          • C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe
                                            C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe --Task
                                            5⤵
                                              PID:4216
                                          • C:\Users\Admin\AppData\Roaming\wsiwegu
                                            C:\Users\Admin\AppData\Roaming\wsiwegu
                                            4⤵
                                              PID:3064
                                              • C:\Users\Admin\AppData\Roaming\wsiwegu
                                                C:\Users\Admin\AppData\Roaming\wsiwegu
                                                5⤵
                                                  PID:8380
                                              • C:\Users\Admin\AppData\Roaming\duiwegu
                                                C:\Users\Admin\AppData\Roaming\duiwegu
                                                4⤵
                                                  PID:8376
                                                • C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe
                                                  C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe --Task
                                                  4⤵
                                                    PID:2536
                                                    • C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe
                                                      C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31\8E99.exe --Task
                                                      5⤵
                                                        PID:2444
                                                    • C:\Users\Admin\AppData\Roaming\wsiwegu
                                                      C:\Users\Admin\AppData\Roaming\wsiwegu
                                                      4⤵
                                                        PID:2376
                                                        • C:\Users\Admin\AppData\Roaming\wsiwegu
                                                          C:\Users\Admin\AppData\Roaming\wsiwegu
                                                          5⤵
                                                            PID:8648
                                                      • C:\Windows\system32\taskeng.exe
                                                        taskeng.exe {9C20E0EE-9E39-40A4-B2B6-77C8965F01C4} S-1-5-18:NT AUTHORITY\System:Service:
                                                        3⤵
                                                          PID:4988
                                                          • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                            "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
                                                            4⤵
                                                              PID:2664
                                                            • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                              "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
                                                              4⤵
                                                                PID:3872
                                                              • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
                                                                4⤵
                                                                  PID:4804
                                                                • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
                                                                  4⤵
                                                                    PID:4832
                                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
                                                                    4⤵
                                                                      PID:4664
                                                                    • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                      "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
                                                                      4⤵
                                                                        PID:6416
                                                                      • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                        "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
                                                                        4⤵
                                                                          PID:1316
                                                                        • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                          "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
                                                                          4⤵
                                                                            PID:8416
                                                                          • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                            "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
                                                                            4⤵
                                                                              PID:9036
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                          2⤵
                                                                          • Checks processor information in registry
                                                                          • Modifies data under HKEY_USERS
                                                                          • Modifies registry class
                                                                          PID:1644
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                          2⤵
                                                                          • Drops file in System32 directory
                                                                          • Checks processor information in registry
                                                                          • Modifies data under HKEY_USERS
                                                                          • Modifies registry class
                                                                          PID:2240
                                                                        • C:\Windows\system32\msiexec.exe
                                                                          C:\Windows\system32\msiexec.exe /V
                                                                          2⤵
                                                                            PID:4536
                                                                            • C:\Windows\syswow64\MsiExec.exe
                                                                              C:\Windows\syswow64\MsiExec.exe -Embedding 991CDD6EAC17CF59BBB6C129C9473C81 C
                                                                              3⤵
                                                                                PID:4808
                                                                              • C:\Windows\syswow64\MsiExec.exe
                                                                                C:\Windows\syswow64\MsiExec.exe -Embedding E4B729D4DFC043C703A15E855E222485
                                                                                3⤵
                                                                                  PID:1712
                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                    4⤵
                                                                                    • Kills process with taskkill
                                                                                    PID:3240
                                                                                • C:\Windows\syswow64\MsiExec.exe
                                                                                  C:\Windows\syswow64\MsiExec.exe -Embedding E1E7A3577D158ED02D7137D9A5CC03D1 M Global\MSI0000
                                                                                  3⤵
                                                                                    PID:3740
                                                                              • C:\Users\Admin\AppData\Local\Temp\8 (23).exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\8 (23).exe"
                                                                                1⤵
                                                                                • Loads dropped DLL
                                                                                • Suspicious use of WriteProcessMemory
                                                                                PID:2016
                                                                                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:1472
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\setup_install.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\setup_install.exe"
                                                                                    3⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:788
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c sonia_1.exe
                                                                                      4⤵
                                                                                      • Loads dropped DLL
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:1924
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\sonia_1.exe
                                                                                        sonia_1.exe
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        PID:848
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\sonia_1.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\sonia_1.exe" -a
                                                                                          6⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          PID:1828
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c sonia_2.exe
                                                                                      4⤵
                                                                                      • Loads dropped DLL
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:1928
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\sonia_2.exe
                                                                                        sonia_2.exe
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • Checks SCSI registry key(s)
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                        PID:1832
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c sonia_3.exe
                                                                                      4⤵
                                                                                      • Loads dropped DLL
                                                                                      PID:1992
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\sonia_3.exe
                                                                                        sonia_3.exe
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • Modifies system certificate store
                                                                                        PID:1620
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 944
                                                                                          6⤵
                                                                                          • Loads dropped DLL
                                                                                          • Program crash
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2180
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c sonia_4.exe
                                                                                      4⤵
                                                                                      • Loads dropped DLL
                                                                                      PID:984
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\sonia_4.exe
                                                                                        sonia_4.exe
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        • Modifies system certificate store
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1452
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c sonia_5.exe
                                                                                      4⤵
                                                                                      • Loads dropped DLL
                                                                                      PID:656
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\sonia_5.exe
                                                                                        sonia_5.exe
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        • Checks computer location settings
                                                                                        • Loads dropped DLL
                                                                                        PID:1768
                                                                                        • C:\Users\Admin\Documents\e3GvAHfdu2Nb3Eaqo7xLaGQ6.exe
                                                                                          "C:\Users\Admin\Documents\e3GvAHfdu2Nb3Eaqo7xLaGQ6.exe"
                                                                                          6⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:2592
                                                                                        • C:\Users\Admin\Documents\rcZwucguOQ6olpZIBuIXZx8g.exe
                                                                                          "C:\Users\Admin\Documents\rcZwucguOQ6olpZIBuIXZx8g.exe"
                                                                                          6⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2664
                                                                                        • C:\Users\Admin\Documents\YV0i9Gu1SHGuD5TjWf7pgucR.exe
                                                                                          "C:\Users\Admin\Documents\YV0i9Gu1SHGuD5TjWf7pgucR.exe"
                                                                                          6⤵
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          PID:2644
                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                            7⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:2692
                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                            7⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:2024
                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                            7⤵
                                                                                              PID:1544
                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                              7⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2556
                                                                                          • C:\Users\Admin\Documents\6tuOI2OitL2oN54EHUiFz_DN.exe
                                                                                            "C:\Users\Admin\Documents\6tuOI2OitL2oN54EHUiFz_DN.exe"
                                                                                            6⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:2624
                                                                                            • C:\Users\Admin\Documents\6tuOI2OitL2oN54EHUiFz_DN.exe
                                                                                              C:\Users\Admin\Documents\6tuOI2OitL2oN54EHUiFz_DN.exe
                                                                                              7⤵
                                                                                                PID:936
                                                                                            • C:\Users\Admin\Documents\HRGkjTPachojEBL_NooocEaZ.exe
                                                                                              "C:\Users\Admin\Documents\HRGkjTPachojEBL_NooocEaZ.exe"
                                                                                              6⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetThreadContext
                                                                                              PID:2604
                                                                                              • C:\Users\Admin\Documents\HRGkjTPachojEBL_NooocEaZ.exe
                                                                                                "C:\Users\Admin\Documents\HRGkjTPachojEBL_NooocEaZ.exe"
                                                                                                7⤵
                                                                                                • Checks SCSI registry key(s)
                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                PID:2484
                                                                                            • C:\Users\Admin\Documents\3pDxkEtdTkPgP1gJPhp3wWeM.exe
                                                                                              "C:\Users\Admin\Documents\3pDxkEtdTkPgP1gJPhp3wWeM.exe"
                                                                                              6⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2684
                                                                                            • C:\Users\Admin\Documents\fmT5aVqw6NYGDFRh58FpB1dt.exe
                                                                                              "C:\Users\Admin\Documents\fmT5aVqw6NYGDFRh58FpB1dt.exe"
                                                                                              6⤵
                                                                                              • Executes dropped EXE
                                                                                              • Checks SCSI registry key(s)
                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                              PID:2696
                                                                                            • C:\Users\Admin\Documents\5YiSIiIDJzqiqVg7MsQfSxbw.exe
                                                                                              "C:\Users\Admin\Documents\5YiSIiIDJzqiqVg7MsQfSxbw.exe"
                                                                                              6⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2708
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd.exe /c taskkill /f /im chrome.exe
                                                                                                7⤵
                                                                                                  PID:2120
                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                    taskkill /f /im chrome.exe
                                                                                                    8⤵
                                                                                                    • Kills process with taskkill
                                                                                                    PID:2660
                                                                                              • C:\Users\Admin\Documents\3AASygjR3PFXrZg8x5BJ31zo.exe
                                                                                                "C:\Users\Admin\Documents\3AASygjR3PFXrZg8x5BJ31zo.exe"
                                                                                                6⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:2820
                                                                                              • C:\Users\Admin\Documents\JRCOiIogNd_HO8bM3hUqShlp.exe
                                                                                                "C:\Users\Admin\Documents\JRCOiIogNd_HO8bM3hUqShlp.exe"
                                                                                                6⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:2916
                                                                                                • C:\Users\Admin\Documents\JRCOiIogNd_HO8bM3hUqShlp.exe
                                                                                                  "C:\Users\Admin\Documents\JRCOiIogNd_HO8bM3hUqShlp.exe"
                                                                                                  7⤵
                                                                                                    PID:2348
                                                                                                • C:\Users\Admin\Documents\yIKUSqUyTnepxemyd8fOpQ4u.exe
                                                                                                  "C:\Users\Admin\Documents\yIKUSqUyTnepxemyd8fOpQ4u.exe"
                                                                                                  6⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in Program Files directory
                                                                                                  PID:2904
                                                                                                  • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                                                    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                                                                                    7⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:2440
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                      8⤵
                                                                                                        PID:2928
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                        8⤵
                                                                                                          PID:1632
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                          8⤵
                                                                                                            PID:8500
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                            8⤵
                                                                                                              PID:8928
                                                                                                          • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                            "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                                                                                            7⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:1476
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 276
                                                                                                              8⤵
                                                                                                              • Program crash
                                                                                                              PID:2492
                                                                                                          • C:\Program Files (x86)\Company\NewProduct\customer3.exe
                                                                                                            "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
                                                                                                            7⤵
                                                                                                              PID:1872
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                8⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:2688
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                8⤵
                                                                                                                  PID:2220
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                  8⤵
                                                                                                                    PID:2700
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                    8⤵
                                                                                                                      PID:1568
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                      8⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:2812
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                      8⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Modifies system certificate store
                                                                                                                      PID:2708
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                      8⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:1568
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                      8⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:2472
                                                                                                                • C:\Users\Admin\Documents\le3GXsTk2P1YgKYcASDDpTfY.exe
                                                                                                                  "C:\Users\Admin\Documents\le3GXsTk2P1YgKYcASDDpTfY.exe"
                                                                                                                  6⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:2892
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im "le3GXsTk2P1YgKYcASDDpTfY.exe" /f & erase "C:\Users\Admin\Documents\le3GXsTk2P1YgKYcASDDpTfY.exe" & exit
                                                                                                                    7⤵
                                                                                                                      PID:2096
                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                        taskkill /im "le3GXsTk2P1YgKYcASDDpTfY.exe" /f
                                                                                                                        8⤵
                                                                                                                        • Kills process with taskkill
                                                                                                                        PID:2404
                                                                                                                  • C:\Users\Admin\Documents\eAFNqgCeODurtrdEnnTLj0_p.exe
                                                                                                                    "C:\Users\Admin\Documents\eAFNqgCeODurtrdEnnTLj0_p.exe"
                                                                                                                    6⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:2876
                                                                                                                    • C:\Users\Admin\Documents\eAFNqgCeODurtrdEnnTLj0_p.exe
                                                                                                                      "{path}"
                                                                                                                      7⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:2928
                                                                                                                  • C:\Users\Admin\Documents\LeNi2tVlndZqkKx2P91YmftJ.exe
                                                                                                                    "C:\Users\Admin\Documents\LeNi2tVlndZqkKx2P91YmftJ.exe"
                                                                                                                    6⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:2868
                                                                                                                    • C:\Users\Admin\Documents\LeNi2tVlndZqkKx2P91YmftJ.exe
                                                                                                                      "{path}"
                                                                                                                      7⤵
                                                                                                                        PID:936
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im LeNi2tVlndZqkKx2P91YmftJ.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\LeNi2tVlndZqkKx2P91YmftJ.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                          8⤵
                                                                                                                          • Blocklisted process makes network request
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:1872
                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                            taskkill /im LeNi2tVlndZqkKx2P91YmftJ.exe /f
                                                                                                                            9⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            PID:572
                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                            timeout /t 6
                                                                                                                            9⤵
                                                                                                                            • Delays execution with timeout.exe
                                                                                                                            PID:2188
                                                                                                                    • C:\Users\Admin\Documents\K_E0ZK9dgcbIdstDjPKWS_tB.exe
                                                                                                                      "C:\Users\Admin\Documents\K_E0ZK9dgcbIdstDjPKWS_tB.exe"
                                                                                                                      6⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:2856
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "K_E0ZK9dgcbIdstDjPKWS_tB.exe" /f & erase "C:\Users\Admin\Documents\K_E0ZK9dgcbIdstDjPKWS_tB.exe" & exit
                                                                                                                        7⤵
                                                                                                                          PID:2104
                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                            taskkill /im "K_E0ZK9dgcbIdstDjPKWS_tB.exe" /f
                                                                                                                            8⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            PID:2416
                                                                                                                      • C:\Users\Admin\Documents\4THvVKOOdUGFt_pu8E058Q6V.exe
                                                                                                                        "C:\Users\Admin\Documents\4THvVKOOdUGFt_pu8E058Q6V.exe"
                                                                                                                        6⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Checks processor information in registry
                                                                                                                        PID:2844
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im 4THvVKOOdUGFt_pu8E058Q6V.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\4THvVKOOdUGFt_pu8E058Q6V.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                          7⤵
                                                                                                                            PID:2336
                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                              taskkill /im 4THvVKOOdUGFt_pu8E058Q6V.exe /f
                                                                                                                              8⤵
                                                                                                                              • Kills process with taskkill
                                                                                                                              PID:1736
                                                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                                                              timeout /t 6
                                                                                                                              8⤵
                                                                                                                              • Delays execution with timeout.exe
                                                                                                                              PID:3040
                                                                                                                        • C:\Users\Admin\Documents\xpdURsIO3FhDTf81P8iX12Wf.exe
                                                                                                                          "C:\Users\Admin\Documents\xpdURsIO3FhDTf81P8iX12Wf.exe"
                                                                                                                          6⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies system certificate store
                                                                                                                          PID:3052
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                            7⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:2228
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                            7⤵
                                                                                                                              PID:1872
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                              7⤵
                                                                                                                                PID:8952
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                7⤵
                                                                                                                                  PID:6472
                                                                                                                              • C:\Users\Admin\Documents\3WGSRik5JjH1tzOoo3ZEzhJT.exe
                                                                                                                                "C:\Users\Admin\Documents\3WGSRik5JjH1tzOoo3ZEzhJT.exe"
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:3044
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-3BR44.tmp\3WGSRik5JjH1tzOoo3ZEzhJT.tmp
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-3BR44.tmp\3WGSRik5JjH1tzOoo3ZEzhJT.tmp" /SL5="$1019E,138429,56832,C:\Users\Admin\Documents\3WGSRik5JjH1tzOoo3ZEzhJT.exe"
                                                                                                                                  7⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Modifies system certificate store
                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                  PID:900
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-K5PPM.tmp\Setup.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-K5PPM.tmp\Setup.exe" /Verysilent
                                                                                                                                    8⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                    PID:2980
                                                                                                                                    • C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
                                                                                                                                      "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
                                                                                                                                      9⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Checks processor information in registry
                                                                                                                                      PID:3064
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im GameBox64bit.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                        10⤵
                                                                                                                                          PID:2524
                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                            taskkill /im GameBox64bit.exe /f
                                                                                                                                            11⤵
                                                                                                                                            • Kills process with taskkill
                                                                                                                                            PID:1644
                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                            timeout /t 6
                                                                                                                                            11⤵
                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                            PID:2768
                                                                                                                                      • C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
                                                                                                                                        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
                                                                                                                                        9⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:2220
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                          10⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          PID:2160
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                          10⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          PID:1988
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                          10⤵
                                                                                                                                            PID:760
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                            10⤵
                                                                                                                                              PID:2212
                                                                                                                                          • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
                                                                                                                                            "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
                                                                                                                                            9⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:1632
                                                                                                                                            • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
                                                                                                                                              "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
                                                                                                                                              10⤵
                                                                                                                                                PID:2632
                                                                                                                                            • C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
                                                                                                                                              "C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
                                                                                                                                              9⤵
                                                                                                                                                PID:2532
                                                                                                                                                • C:\Users\Admin\AppData\Roaming\1129634.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\1129634.exe"
                                                                                                                                                  10⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:2448
                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                    C:\Windows\system32\WerFault.exe -u -p 2448 -s 1764
                                                                                                                                                    11⤵
                                                                                                                                                    • Program crash
                                                                                                                                                    PID:2776
                                                                                                                                                • C:\Users\Admin\AppData\Roaming\3195959.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\3195959.exe"
                                                                                                                                                  10⤵
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  PID:2800
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                    11⤵
                                                                                                                                                      PID:2312
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\6805045.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\6805045.exe"
                                                                                                                                                    10⤵
                                                                                                                                                      PID:1420
                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\2387716.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\2387716.exe"
                                                                                                                                                      10⤵
                                                                                                                                                        PID:1840
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1768
                                                                                                                                                          11⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Program crash
                                                                                                                                                          PID:2700
                                                                                                                                                    • C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
                                                                                                                                                      "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
                                                                                                                                                      9⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:2428
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 276
                                                                                                                                                        10⤵
                                                                                                                                                        • Program crash
                                                                                                                                                        PID:2956
                                                                                                                                                    • C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
                                                                                                                                                      "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
                                                                                                                                                      9⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:1948
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-JJN1L.tmp\GameBoxWin32.tmp
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-JJN1L.tmp\GameBoxWin32.tmp" /SL5="$400DE,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
                                                                                                                                                        10⤵
                                                                                                                                                          PID:2872
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-9AVJD.tmp\Daldoula.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-9AVJD.tmp\Daldoula.exe" /S /UID=burnerch2
                                                                                                                                                            11⤵
                                                                                                                                                            • Drops file in Drivers directory
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                            PID:2596
                                                                                                                                                            • C:\Program Files\VideoLAN\PDFFLHCFGL\ultramediaburner.exe
                                                                                                                                                              "C:\Program Files\VideoLAN\PDFFLHCFGL\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                              12⤵
                                                                                                                                                                PID:1068
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-SCPGN.tmp\ultramediaburner.tmp
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-SCPGN.tmp\ultramediaburner.tmp" /SL5="$B021A,281924,62464,C:\Program Files\VideoLAN\PDFFLHCFGL\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                  13⤵
                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                  PID:2404
                                                                                                                                                                  • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                                                                    "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                                                                    14⤵
                                                                                                                                                                      PID:2372
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\79-84cfb-4f0-59ba1-3c9b9909434c2\Kumifahigi.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\79-84cfb-4f0-59ba1-3c9b9909434c2\Kumifahigi.exe"
                                                                                                                                                                  12⤵
                                                                                                                                                                    PID:2756
                                                                                                                                                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                                                                                                                                                      13⤵
                                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                      PID:760
                                                                                                                                                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:275457 /prefetch:2
                                                                                                                                                                        14⤵
                                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                        PID:2220
                                                                                                                                                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:2503702 /prefetch:2
                                                                                                                                                                        14⤵
                                                                                                                                                                          PID:8332
                                                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:3093524 /prefetch:2
                                                                                                                                                                          14⤵
                                                                                                                                                                            PID:8840
                                                                                                                                                                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:996410 /prefetch:2
                                                                                                                                                                            14⤵
                                                                                                                                                                              PID:8744
                                                                                                                                                                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:2962503 /prefetch:2
                                                                                                                                                                              14⤵
                                                                                                                                                                                PID:1232
                                                                                                                                                                            • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                              "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
                                                                                                                                                                              13⤵
                                                                                                                                                                                PID:2120
                                                                                                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
                                                                                                                                                                                13⤵
                                                                                                                                                                                  PID:8140
                                                                                                                                                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                  "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
                                                                                                                                                                                  13⤵
                                                                                                                                                                                    PID:8436
                                                                                                                                                                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=2087215
                                                                                                                                                                                    13⤵
                                                                                                                                                                                      PID:1576
                                                                                                                                                                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=4263119
                                                                                                                                                                                      13⤵
                                                                                                                                                                                        PID:8728
                                                                                                                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=1294231
                                                                                                                                                                                        13⤵
                                                                                                                                                                                          PID:5896
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\c1-30974-267-e0888-fd214136a3b68\ZHurykususa.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\c1-30974-267-e0888-fd214136a3b68\ZHurykususa.exe"
                                                                                                                                                                                        12⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:2888
                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\piexdpj1.don\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                          13⤵
                                                                                                                                                                                            PID:3812
                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dofuiiaf.vjp\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                            13⤵
                                                                                                                                                                                              PID:4228
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dofuiiaf.vjp\installer.exe
                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\dofuiiaf.vjp\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                14⤵
                                                                                                                                                                                                  PID:4272
                                                                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\dofuiiaf.vjp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\dofuiiaf.vjp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1627970605 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                      PID:5028
                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\smra0wh4.izr\ufgaa.exe & exit
                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                    PID:4648
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\smra0wh4.izr\ufgaa.exe
                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\smra0wh4.izr\ufgaa.exe
                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                        PID:4692
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                            PID:3296
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                              PID:3964
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                PID:4500
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                15⤵
                                                                                                                                                                                                                  PID:2212
                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lzb3rjim.tss\anyname.exe & exit
                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                PID:1872
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lzb3rjim.tss\anyname.exe
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\lzb3rjim.tss\anyname.exe
                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                    PID:2212
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lzb3rjim.tss\anyname.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\lzb3rjim.tss\anyname.exe" -q
                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                        PID:3132
                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iozydqgp.mh1\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                      PID:3256
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c sonia_6.exe
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                    PID:620
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0C510E34\sonia_6.exe
                                                                                                                                                                                                      sonia_6.exe
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                      PID:396
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                        PID:1720
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        PID:2216
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                          PID:2680
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                            PID:2496
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sonia_7.exe
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:1648
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 412
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1516
                                                                                                                                                                                                  • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                    PID:748
                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:612
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\8E99.exe
                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\8E99.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:2836
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\8E99.exe
                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\8E99.exe
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                      PID:2108
                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                        icacls "C:\Users\Admin\AppData\Local\7f7ff071-8a38-4b16-8dfa-a6e1f9d1fd31" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                        PID:2460
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\8E99.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\8E99.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                        PID:536
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\8E99.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\8E99.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                          PID:936
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\0218306c-9877-4bc0-96b9-450befcd7d16\build2.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\0218306c-9877-4bc0-96b9-450befcd7d16\build2.exe"
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:2532
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\0218306c-9877-4bc0-96b9-450befcd7d16\build2.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\0218306c-9877-4bc0-96b9-450befcd7d16\build2.exe"
                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                              PID:1108
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\0218306c-9877-4bc0-96b9-450befcd7d16\build2.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                  PID:2636
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                    taskkill /im build2.exe /f
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                    PID:296
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                    timeout /t 6
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                    PID:2024
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\0218306c-9877-4bc0-96b9-450befcd7d16\build3.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\0218306c-9877-4bc0-96b9-450befcd7d16\build3.exe"
                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                PID:2916
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\0218306c-9877-4bc0-96b9-450befcd7d16\build3.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\0218306c-9877-4bc0-96b9-450befcd7d16\build3.exe"
                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                    PID:2364
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                      PID:2348
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\A2B6.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\A2B6.exe
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:2888
                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "8624232681087978791049133854946241669922108127-1650920014-12282198971001051176"
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            PID:1544
                                                                                                                                                                                                          • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                            PID:2940
                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:2532
                                                                                                                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                              PID:2916
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\349A.exe
                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\349A.exe
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:3732
                                                                                                                                                                                                                • C:\Windows\SysWOW64\dllhost.exe
                                                                                                                                                                                                                  "C:\Windows\System32\dllhost.exe"
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:8108
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c cmd < Perisce.jar
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:8124
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        cmd
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:8164
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                            findstr /V /R "^RjxbYtQhXRvMStXsrWjZzMEutIshVobYBYKPlbziZPusCiQZrGYjUBLtHgafMCaOxblTxouFDtZDGjDXRslgl$" Presto.jar
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                              PID:4984
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com
                                                                                                                                                                                                                              Preme.exe.com r
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                PID:8188
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com r
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                    PID:5048
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                  ping localhost -n 30
                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                  PID:8168
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\3B6E.exe
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\3B6E.exe
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:6440
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\B964.exe
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\B964.exe
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:4048
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\CthcnyfEjhTo.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\CthcnyfEjhTo.exe"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:2084
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\D06E.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\D06E.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:4884
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\3AF.exe
                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\3AF.exe
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:8320
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3AF.exe"
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:8676
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                            timeout /T 10 /NOBREAK
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                                                            PID:8748
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1C10.exe
                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\1C10.exe
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:8428
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\31D2.exe
                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\31D2.exe
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:8520
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\5164.exe
                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\5164.exe
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:8620
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:8644
                                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                C:\Windows\explorer.exe
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:8664
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                    PID:8716
                                                                                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                    C:\Windows\explorer.exe
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:8760
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:8780
                                                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                        C:\Windows\explorer.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:8788
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:8816
                                                                                                                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                            C:\Windows\explorer.exe
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                              PID:8832
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                PID:8884
                                                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                explorer.exe
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                  PID:4584

                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                • memory/612-179-0x0000000000220000-0x000000000027D000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  372KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/612-178-0x0000000002070000-0x0000000002171000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.0MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-122-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  572KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  572KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-92-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.1MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-118-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  152KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-138-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  152KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-103-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-147-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.1MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-114-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/788-108-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/860-180-0x0000000001030000-0x000000000107C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/860-181-0x0000000001A60000-0x0000000001AD1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  452KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-286-0x00000000037C0000-0x0000000003817000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  348KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-294-0x00000000037C0000-0x0000000003817000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  348KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-300-0x00000000039C0000-0x00000000039C1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-275-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-299-0x00000000039B0000-0x00000000039B1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-298-0x0000000003860000-0x0000000003861000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-280-0x00000000003B0000-0x00000000003B1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-297-0x0000000003850000-0x0000000003851000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-281-0x0000000000540000-0x0000000000541000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-282-0x0000000000550000-0x0000000000551000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-283-0x0000000000560000-0x0000000000561000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-284-0x0000000001F20000-0x0000000001F21000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-285-0x0000000001F30000-0x0000000001F31000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-289-0x00000000037C0000-0x0000000003817000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  348KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-287-0x00000000037C0000-0x0000000003817000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  348KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-296-0x0000000003840000-0x0000000003841000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-295-0x0000000003820000-0x0000000003821000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-288-0x00000000037C0000-0x0000000003817000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  348KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/900-290-0x00000000037C0000-0x0000000003817000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  348KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/936-268-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  120KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/936-276-0x0000000004F10000-0x0000000004F11000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1256-188-0x0000000003930000-0x0000000003945000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  84KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1256-316-0x0000000003A70000-0x0000000003A85000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  84KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1452-152-0x0000000000420000-0x0000000000422000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1452-146-0x0000000000310000-0x0000000000311000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1516-185-0x00000000004A0000-0x00000000004A1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1620-184-0x0000000000400000-0x00000000008F2000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.9MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1620-183-0x0000000000900000-0x000000000099D000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  628KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1644-182-0x00000000004C0000-0x0000000000531000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  452KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1832-177-0x0000000000400000-0x0000000000896000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.6MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/1832-176-0x0000000000240000-0x0000000000249000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2016-60-0x00000000765F1000-0x00000000765F3000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2180-191-0x0000000000600000-0x0000000000601000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2240-195-0x0000000000060000-0x00000000000AE000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  312KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2240-198-0x00000000027F0000-0x00000000028F6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.0MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2240-196-0x00000000004C0000-0x0000000000534000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  464KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2240-197-0x0000000000270000-0x000000000028B000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  108KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2240-199-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2592-317-0x00000000001E0000-0x000000000020F000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  188KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2624-239-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2624-257-0x0000000000590000-0x0000000000591000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2644-252-0x0000000002020000-0x000000000208F000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  444KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2644-253-0x00000000031E0000-0x00000000032AF000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  828KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2684-306-0x0000000000400000-0x0000000002C61000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  40.4MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2692-267-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  340KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2696-304-0x00000000003C0000-0x00000000003C9000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2696-302-0x0000000000400000-0x0000000002C61000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  40.4MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2820-233-0x0000000000200000-0x0000000000210000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2820-235-0x00000000002A0000-0x00000000002B2000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  72KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2844-311-0x0000000003230000-0x0000000005AF3000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  40.8MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2844-312-0x0000000000400000-0x0000000002CC3000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  40.8MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2856-241-0x0000000000400000-0x000000000325A000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  46.4MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2856-240-0x0000000000240000-0x000000000026E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  184KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2868-248-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2868-258-0x0000000004F70000-0x0000000004F71000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2876-254-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2876-246-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2892-303-0x00000000001D0000-0x00000000001FF000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  188KB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/2892-301-0x0000000000400000-0x0000000002C75000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  40.5MB

                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                • memory/3044-242-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  80KB

                                                                                                                                                                                                                                                                  Download